npm · Malicious package advisory
Malwaredb-xorma
MAL-2026-5464
Malicious code in db-xorma (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2)
db-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance (the documented entry point), the constructor calls Model.resetor(), which attempts to require('db-dx-connector') and, if missing, shells out via execSync to `npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent` with stdio suppressed and windowsHide enabled. It then immediately requires the freshly-fetched package and invokes `new DxDatabaseConnector({}).queryDBConnect()`. The fetched dependency is unpinned (whatever the attacker publishes at the moment of execution will run), --no-save evades the consumer's package.json/lockfile, and output is silenced. This is a runtime-dropper pattern that gives the publisher of db-dx-connector arbitrary code execution inside any process that imports db-xorma and constructs a Model. Additionally, package.json declares a dependency on 'child_process' ^1.0.2 — a known typosquat of the Node core module name, which adds an additional attacker-controlled code path via that package's own install lifecycle. A commented-out variant of the same dropper template targeting 'clsx-js' remains in dist/index.js, indicating the pattern is iterated across package names.
Compromised versions (6)
- 1.0.2
- 1.0.1
- 1.0.0
- 1.0.3
- 1.0.4
- 1.0.5
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.